On 6 Aug 2000, at 15:21, Jean-Yves BARBIER wrote: > On Sun, Aug 06, 2000 at 02:26:45PM +0200, Patrick Vermeij wrote: > > Hi > > > > Im configuring my firewall and before I connect it to the web I want be > > sure no unwanted services are public to the internet > > But when I look with netstat -l , I see some strange ports open wich I > > don't reconize. > > Has any of you any idea? > > (I already telnet to the ports but no info is available) > > > > tcp 0 0 *:797 *:* LISTEN > > tcp 0 0 *:757 *:* LISTEN > > tcp 0 0 *:826 *:* LISTEN > > tcp 0 0 *:746 *:* LISTEN > > Hi Patrick, > > First, don't use netstat for this purpose, prefer nmap, > which can give you reliable information. > > These ports look quite strange if you're running a > Linux system (no port 111, nor 21, 23, 9... ???). > > But don't worry so much: netstat tells you they're open > on the machine you tested, that's a point; but that doesn't > mean they can be accessed by anyone on the net (use netstat > to check what is going where [route, masquerading...], then > use nmap to know about the reachability of these ports); > > To have a really good test, call a (good) friend and tell > him to nmap (or strobe, or whatever tool that is able to make > ports scanning *and* connections tests) toward your Internet > IP. > > In addition, goto http://www.psionic.com and get the portsentry > program; install it on your internet gateway; make sure (only > for the tests) it doesn't cover localhosts in its survey, then > test from inside *and* outside. > This is a very nice program, totally GNU/GPL which is able to > discover a port scan (even a random one!) and take the counter- > measures (such as putting the scanner IP in /etc/hosts.deny) > > Make sure you've forbidden all internal-use segment (A, B & C > classes) to come on your internet I/F, make sure you activated > anti-spoof, check all ports to see if unnecessary ports are not > opened. > > Hope it will help ;-) > > JY > -- > Jean-Yves F. Barbier <[EMAIL PROTECTED]> > VMS version 2.0 ==>
Hi All, Thanx for help in the first place. After this mail I still got some more questions : (btw the ports I mean are not the only ports, eg ssh is also running but that's a "wanted" service") After I put my machine online a few minutes, I've made a telnet connection to a host on the Internet ans telnetted to the 4 "strange" ports. After I got a connection, I manualy disconnect. All these 4 ports were reacheble : [EMAIL PROTECTED] patrick]$ telnet 111.222.333.444 826 Trying 111.222.333.444... Connected to 111.222.333.444. Escape character is '^]'. ^] telnet> Connection closed. Well, I installed portsentry already, but that program doesn't forbid a connection (It only detect a cnnection and take some pre-installed action upon it) I can deny connections by using ipchains but that's preffered solutions because the services are still running and vulnerable for a localhost exploid. So I want to completly disable this service, so I have to know wich service this is. Any ideas? Patrick --- Encryption: A powerful algorithmic encoding technique employed in the creation of computer manuals.
